Security & Compliance

How we protect your data and your guests' data. Honest about what we have — and what we're building toward.

Security-first by design

We take security seriously — and we're honest about where we are.

VertexStay uses industry-standard encryption, AWS infrastructure, and GDPR-ready data practices. We're a new company, so we don't yet have a SOC 2 Type II audit or a formal penetration test on record — but we're building the controls required for both.

If your property has specific security requirements, talk to us. We'll give you an honest answer about whether we meet them today — and when we will if not.

AES-256 Encryption
GDPR Ready
AWS Hosted
99.9% Uptime SLA
Daily Backups
SOC 2 In Progress
What we have in place today

Security practices

AES-256 Encryption

All data encrypted at rest using AES-256. All data in transit protected by TLS 1.3. No plaintext storage of sensitive fields.

GDPR Ready

Built with GDPR requirements in mind. EU data residency available. Data Processing Agreement (DPA) available on request for all plans.

AWS Infrastructure

Hosted on AWS with multi-AZ redundancy, auto-scaling, and DDoS protection via AWS Shield. Network segmentation between application and database layers.

Daily Backups

Automated daily backups with point-in-time restore capability. Data retained for 30 days.

99.9% Uptime SLA

Contractual 99.9% uptime guarantee. Infrastructure monitored continuously with automated alerting.

SOC 2 In Progress

We are building the controls and documentation required for SOC 2 Type II certification. This audit is planned as we scale.

Technical Details

How we protect your data

Access Control

  • Role-based access control for all staff accounts
  • Principle of least privilege — every user gets minimum required access
  • Admin-level actions require re-authentication
  • Automatic session timeout after inactivity
  • All authentication events logged with IP and timestamp

Data Handling

  • Guest PII encrypted at rest and in transit
  • Passport and ID data treated as sensitive — no logging
  • Data deletion upon request within 30 days (GDPR Art. 17)
  • No data sold or shared with advertising networks
  • Sub-processor list maintained and available on request

Infrastructure

  • Hosted on AWS (us-east-1 and eu-west-1)
  • Auto-scaling with DDoS protection via AWS Shield
  • Network segmentation between application and database layers
  • Web Application Firewall (WAF) on all public endpoints
  • Secrets management via AWS Secrets Manager

Planned Security Investments

  • Third-party penetration testing — planned as we scale
  • SOC 2 Type II audit — controls currently being built
  • Formal vulnerability disclosure program — coming soon
  • Quarterly security review process — in development
Security FAQ

Common questions

Where is my data stored?

Data is stored on AWS infrastructure in the United States (us-east-1) by default. EU data residency (eu-west-1, Frankfurt) is available for all Professional and Enterprise plans — contact us to enable it.

Can I request a copy of my data?

Yes. You can export all your data at any time from the VertexStay admin panel in CSV format. You can also request a full data export from our support team, and we will deliver it within 5 business days.

What happens to my data if I cancel?

Your data is retained for 60 days after cancellation, giving you time to export everything. After 60 days, your data is permanently deleted from all systems. You can request immediate deletion if needed.

Do you share data with third parties?

No. We do not sell or share your data or your guests' data with advertising networks or third parties. We use sub-processors only for running the service itself — infrastructure, email delivery, and payments.

Is VertexStay SOC 2 certified?

Not yet. SOC 2 Type II certification is on our roadmap as we scale. We are building the required controls and documentation now. If SOC 2 is a hard requirement for your property, contact us to discuss our timeline.

Is VertexStay HIPAA compliant?

VertexStay is not HIPAA certified. We handle hospitality data, not healthcare data, so HIPAA is not applicable to our platform.

Do you offer a Data Processing Agreement (DPA)?

Yes. A DPA is available for all plans. Contact hello@vertexstay.com and we will send you a signed DPA within one business day.

Questions about security?

We're happy to answer detailed questions, walk through our practices, or discuss specific requirements for your property. We'd rather have an honest conversation upfront.